v1.6.10

~重写nftables支持，尝试支持全功能ipv6路由 ~定时任务增加自定义语句功能 ~修复ipv6 tproxy下quic屏蔽 ~启动自检优化 ~部分功能描述优化
2022-12-01 23:10:49 +08:00
parent 18bb5069ce
commit 70f3256576
3 changed files with 140 additions and 112 deletions
--- a/scripts/clash.sh
+++ b/scripts/clash.sh
@@ -51,8 +51,6 @@ getconfig(){
 		auto="\033[31m未设置开机启动！\033[0m"
 		auto1="\033[36m允许\033[0mclash开机启动"
 	fi
-	#获取运行模式
-	[ -z "$redir_mod" ] && redir_mod=纯净模式
 	#获取运行状态
 	PID=$(pidof clash)
 	if [ -n "$PID" ];then
@@ -100,7 +98,6 @@ errornum(){
 	echo -e "\033[31m请输入正确的数字！\033[0m"
 }
 startover(){
-	source $ccfg
 	echo -e "\033[32mclash服务已启动！\033[0m"
 	if [ -n "$hostdir" ];then
 		echo -e "请使用 \033[4;32mhttp://$host$hostdir\033[0m 管理内置规则"
@@ -1025,7 +1022,7 @@ clashadv(){
 	echo -e "\033[30;47m欢迎使用进阶模式菜单：\033[0m"
 	echo -e "\033[33m如您并不了解clash的运行机制，请勿更改本页面功能！\033[0m"
 	echo -----------------------------------------------
-	echo -e " 1 启用ipv6支持:	\033[36m$ipv6_support\033[0m	————实验性功能，可能不稳定"
+	echo -e " 1 代理ipv6流量:	\033[36m$ipv6_support\033[0m	————关闭时不会影响本机ipv6"
 	#echo -e " 2 配置Meta特性"
 	echo -e " 4 启用域名嗅探:	\033[36m$sniffer\033[0m	————用于流媒体及防DNS污染"
 	echo -e " 5 启用公网访问:	\033[36m$public_support\033[0m	————需要路由拨号+公网IP"
@@ -1045,8 +1042,9 @@ clashadv(){
 	elif [ "$num" = 1 ]; then
 		echo -----------------------------------------------
 		if [ "$ipv6_support" = "未开启" ] > /dev/null 2>&1; then 
-			echo -e "\033[33m已开启对ipv6协议的支持！！\033[0m"
-			echo -e "Clash对ipv6的支持并不友好，如不能使用请静等修复！"
+			echo -e "\033[33m已开启对ipv6流量的代理！！\033[0m"
+			echo -e "如果启用后导致部分应用加载缓慢，请关闭此功能即可恢复"
+			echo -e "\033[31m除非特殊需要，否则无需开启此功能！\033[0m"
 			ipv6_support=已开启
 			sleep 2
 		else
@@ -1063,7 +1061,7 @@ clashadv(){
 				rm -rf $bindir/clash
 				clashcore=clash.meta
 				setconfig clashcore $clashcore
-				echo "已将clash内核切换为Meta内核！"
+				echo "已将clash内核切换为Meta内核！域名嗅探依赖Meta或者高版本clashpre内核！"
 			fi
 			sniffer=已启用
 		else
@@ -1442,7 +1440,9 @@ clashcron(){
 	echo -e " 2 设置\033[31m定时停止\033[0mclash服务"
 	echo -e " 3 设置\033[32m定时开启\033[0mclash服务"
 	echo -e " 4 设置\033[33m定时更新\033[0m订阅并重启服务"
-	echo -e " 5 设置\033[33m定时更新\033[0m订阅但不重启服务"
+	echo -e " 5 设置\033[33m定时热更新\033[0m订阅"
+	echo -e " 6 设置\033[36m自定义命令\033[0m"
+	echo -e " 7 删除\033[31m指定任务\033[0m"
 	echo -----------------------------------------------
 	echo -e " 0 返回上级菜单" 
 	read -p "请输入对应数字 > " num
@@ -1475,6 +1475,36 @@ clashcron(){
 		cronset="$clashdir/start.sh updateyaml"
 		setcron	
 		clashcron
+	elif [ "$num" = 6 ]; then
+		echo -----------------------------------------------
+		echo -e "\033[33m可包含空格，请确保命令可执行！\033[0m"
+		read -p "请输入命令语句 > " script
+		if [ -n "$script" ];then
+			cronset=\'$script\'
+			echo -e "请检查输入：\033[32m$cronset\033[0m"
+			read -p "请输入任务备注 > " txt
+			[ -n "$txt" ] && cronname=$txt || cronname=ShellClash自定义
+			cronset="$clashdir/start.sh updateyaml"
+			setcron	
+		else
+			echo -e "\033[31m输入错误，请重新输入！\033[0m"
+			sleep 1
+		fi
+		clashcron
+	elif [ "$num" = 7 ]; then	
+		echo -----------------------------------------------
+		echo -e "\033[33m将按照关键词匹配并删除所有匹配！\033[0m"
+		read -p "请输入备注的关键词 > " txt
+		[ -n "$txt" ] && {
+			cronname=$txt
+			croncmd -l > /tmp/conf && sed -i "/$cronname/d" /tmp/conf && croncmd /tmp/conf
+			sed -i "/$cronname/d" $clashdir/cron 2>/dev/null
+			rm -f /tmp/conf
+			echo -----------------------------------------------
+			echo -e "所有关键词\033[32m$cronname\033[0m匹配的定时任务均已删除！\033[0m"
+			sleep 1
+		}
+		clashcron
 	else
 		errornum
 	fi
--- a/scripts/getdate.sh
+++ b/scripts/getdate.sh
@@ -1109,9 +1109,8 @@ testcommand(){
 		exit;
 	elif [ "$num" = 4 ]; then

-		if [ -n "$(echo $redir_mod | grep 'Nft')" ];then
-			nft list table shellclash
-			[ "$ipv6_support" = "已开启" ] && nft list table ip6 shellclashv6
+		if [ -n "$(echo $redir_mod | grep 'Nft')" -o "$local_type" = "nftables增强模式" ];then
+			nft list table inet shellclash
 		else
 			echo -------------------Redir---------------------
 			iptables  -t nat  -L PREROUTING --line-numbers
--- a/scripts/start.sh
+++ b/scripts/start.sh
@@ -26,7 +26,7 @@ getconfig(){
 	[ -z "$sniffer" ] && sniffer=已开启
 	#是否代理常用端口
 	[ -z "$common_ports" ] && common_ports=已开启
-	[ -z "$multiport" ] && multiport='22,53,587,465,995,993,143,80,443,8080'
+	[ -z "$multiport" ] && multiport='22,53,123,587,465,995,993,143,80,443,8080'
 	[ "$common_ports" = "已开启" ] && ports="-m multiport --dports $multiport"
 }
 setconfig(){
@@ -46,7 +46,7 @@ compare(){
 logger(){
 	[ -n "$2" ] && echo -e "\033[$2m$1\033[0m"
 	echo `date "+%G-%m-%d %H:%M:%S"` $1 >> $clashdir/log
-	[ "$(wc -l $clashdir/log | awk '{print $1}')" -gt 30 ] && sed -i '1,5d' $clashdir/log
+	[ "$(wc -l $clashdir/log | awk '{print $1}')" -gt 20 ] && sed -i '1,5d' $clashdir/log
 }
 croncmd(){
 	if [ -n "$(crontab -h 2>&1 | grep '\-l')" ];then
@@ -211,22 +211,6 @@ EOF`
 			echo -----------------------------------------------
 			exit 1
 		fi
-		#检测vless/hysteria协议
-		if [ -n "$(cat $yamlnew | grep -oE 'type: vless|type: hysteria')" ] && [ "$clashcore" != "clash.meta" ];then
-			echo -----------------------------------------------
-			logger "检测到vless/hysteria协议！将改为使用clash.meta核心启动！" 33
-			rm -rf $bindir/clash
-			setconfig clashcore clash.meta
-			echo -----------------------------------------------
-		fi
-		#检测是否存在高级版规则
-		if [ "$clashcore" = "clash" -a -n "$(cat $yamlnew | grep -E '^script:|proxy-providers|rule-providers|rule-set')" ];then
-			echo -----------------------------------------------
-			logger "检测到高级规则！将改为使用clashpre核心启动！" 33
-			rm -rf $bindir/clash
-			setconfig clashcore clashpre
-			echo -----------------------------------------------
-		fi
 		#检测并去除无效节点组
 		[ -n "$url_type" ] && type xargs >/dev/null 2>&1 && {
 		cat $yamlnew | grep -A 8 "\- name:" | xargs | sed 's/- name: /\n/g' | sed 's/ type: .*proxies: /#/g' | sed 's/ rules:.*//g' | sed 's/- //g' | grep -E '#DIRECT $' | awk -F '#' '{print $1}' > /tmp/clash_proxies_$USER
@@ -415,11 +399,11 @@ cn_ip_route(){
 			[ "$?" = "1" ] && rm -rf $bindir/cn_ip.txt && logger "列表下载失败！" 31 
 		fi
 	}
-	[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt -a -z "$(echo $redir_mod|grep -o 'Ntf')" ] && {
+	[ -f $bindir/cn_ip.txt -a -z "$(echo $redir_mod|grep 'Nft')" ] && {
 			echo "create cn_ip hash:net family inet hashsize 1024 maxelem 65536" > /tmp/cn_$USER.ipset
 			awk '!/^$/&&!/^#/{printf("add cn_ip %s'" "'\n",$0)}' $bindir/cn_ip.txt >> /tmp/cn_$USER.ipset
 			ipset -! flush cn_ip 2>/dev/null
-			ipset -! restore < /tmp/cn_$USER.ipset
+			ipset -! restore < /tmp/cn_$USER.ipset 
 			rm -rf cn_$USER.ipset
 	}
 }
@@ -477,8 +461,9 @@ start_redir(){
 		fi
 		ip6tables -t nat -A PREROUTING -p tcp -j clashv6
 	fi
+	return 0
 }
-start_dns_redir(){
+start_ipt_dns(){
 	#屏蔽OpenWrt内置53端口转发
 	iptables -t nat -D PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 2> /dev/null
 	iptables -t nat -D PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 2> /dev/null
@@ -520,6 +505,7 @@ start_dns_redir(){
 	else
 		ip6tables -I INPUT -p udp --dport 53 -m comment --comment "ShellClash-IPV6_DNS-REJECT" -j REJECT > /dev/null 2>&1
 	fi
+	return 0

 }
 start_tproxy(){
@@ -593,7 +579,9 @@ start_tproxy(){
 		}
 		[ "$1" = "all" ] && tproxy_set6 tcp
 		#tproxy_set6 udp
-		
+		[ "$quic_rj" = 已启用 ] && {
+			ip6tables -I INPUT -p udp --dport 443 -m comment --comment "ShellClash QUIC REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1
+		}	
 	}
 }
 start_output(){
@@ -640,6 +628,8 @@ start_tun(){
 		[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" ] && set_cn_ip='-m set ! --match-set cn_ip dst'
 		iptables -I FORWARD -p udp --dport 443 -o utun -m comment --comment "ShellClash-QUIC-REJECT" $set_cn_ip -j REJECT >/dev/null 2>&1 
 	fi
+	
+	return 0
 }
 start_nft(){
 	[ "$common_ports" = "已开启" ] && PORTS=$(echo $multiport | sed 's/,/, /g')
@@ -647,85 +637,60 @@ start_nft(){
 	#设置策略路由
 	ip rule add fwmark 1 table 100 2> /dev/null
 	ip route add local default dev lo table 100 2> /dev/null
-	#初始化nftables
-	nft add table shellclash 2> /dev/null
-	nft flush table shellclash 2> /dev/null
-	[ "$redir_mod" = "Nft基础" ] && {
-		nft add chain shellclash prerouting { type nat hook prerouting priority -100 \; }
-	}
+	[ "$redir_mod" = "Nft基础" ] && \
+		nft add chain inet shellclash prerouting { type nat hook prerouting priority -100 \; }
 	[ "$redir_mod" = "Nft混合" ] && {
 		modprobe nft_tproxy &> /dev/null
-		nft add chain shellclash prerouting { type filter hook prerouting priority 0 \; }
+		nft add chain inet shellclash prerouting { type filter hook prerouting priority 0 \; }
 	}
 	[ -n "$(echo $redir_mod|grep Nft)" ] && {
-		#设置DNS转发
-		nft add chain shellclash dns { type nat hook prerouting priority -100 \; }
 		#过滤局域网设备
 		[ -n "$(cat $clashdir/mac)" ] && {
 			MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac)
-			[ "$macfilter_type" = "黑名单" ] && {
-				nft add rule shellclash dns ether saddr {${MAC}} return
-				nft add rule shellclash prerouting ether saddr {${MAC}} return
-				}
-			[ "$macfilter_type" = "白名单" ] && {
-				nft add rule shellclash dns ether saddr != {${MAC}} return
-				nft add rule shellclash prerouting ether saddr != {${MAC}} return
-			}
+			[ "$macfilter_type" = "黑名单" ] && \
+				nft add rule inet shellclash prerouting ether saddr {${MAC}} return || \
+				nft add rule inet shellclash prerouting ether saddr != {${MAC}} return
 		}
-		nft add rule shellclash dns udp dport 53 redirect to ${dns_port}
-		nft add rule shellclash dns tcp dport 53 redirect to ${dns_port}
 		#过滤保留地址
-		nft add rule shellclash prerouting ip daddr {${RESERVED_IP}} return
+		nft add rule inet shellclash prerouting ip daddr {${RESERVED_IP}} return
 		#过滤CN-IP
 		[ "$dns_mod" = "redir_host" -a "$cn_ip_route" = "已开启" -a -f $bindir/cn_ip.txt ] && {
 			CN_IP=$(awk '{printf "%s, ",$1}' $bindir/cn_ip.txt)
-			[ -n "$CN_IP" ] && nft add rule shellclash prerouting ip daddr {${CN_IP}} return
+			[ -n "$CN_IP" ] && nft add rule inet shellclash prerouting ip daddr {${CN_IP}} return
 		}
 		#过滤常用端口
-		[ -n "$PORTS" ] && nft add rule shellclash prerouting tcp dport != {${PORTS}} return
+		[ -n "$PORTS" ] && nft add rule inet shellclash prerouting tcp dport != {${PORTS}} return
+		#ipv6支持
+		if [ "$ipv6_support" = "已开启" ];then
+			RESERVED_IP6="{::1/128, fc00::/7, fe80::/10}"
+			ip -6 rule add fwmark 1 table 101 2> /dev/null
+			ip -6 route add local ::/0 dev lo table 101 2> /dev/null
+			nft add rule inet shellclash prerouting ip6 daddr {${RESERVED_IP6}} return
+		else
+			nft add rule inet shellclash prerouting meta nfproto ipv6 return
+		fi
 		#透明路由
-		[ "$redir_mod" = "Nft基础" ] && nft add rule shellclash prerouting meta l4proto tcp mark set 1 redirect to ${redir_port}
-		[ "$redir_mod" = "Nft混合" ] && nft add rule shellclash prerouting meta l4proto {tcp, udp} mark set 1 tproxy to 127.0.0.1:${tproxy_port}
+		[ "$redir_mod" = "Nft基础" ] && nft add rule inet shellclash prerouting meta l4proto tcp mark set 1 redirect to ${redir_port}
+		[ "$redir_mod" = "Nft混合" ] && nft add rule inet shellclash prerouting meta l4proto {tcp, udp} mark set 1 tproxy to :${tproxy_port}
 	}
 	#屏蔽QUIC
 	[ "$quic_rj" = 已启用 ] && {
-		nft add chain shellclash input { type filter hook input priority 0 \; }
-		nft add rule shellclash input udp dport 443 reject comment 'ShellClash-QUIC-REJECT'
+		nft add chain inet shellclash input { type filter hook input priority 0 \; }
+		[ -n "$CN_IP" ] && nft add rule inet shellclash input ip daddr {${CN_IP}} return
+		nft add rule inet shellclash input udp dport 443 reject comment 'ShellClash-QUIC-REJECT'
 	}
-	#ipv6支持
-	[ "$ipv6_support" = "已开启" ] && {
-		RESERVED_IP6="{::1/128, fc00::/7, fe80::/10}"
-		nft add table ip6 shellclashv6 2> /dev/null
-		nft flush table ip6 shellclashv6 2> /dev/null
-		nft add chain ip6 shellclashv6 prerouting { type nat hook prerouting priority -100 \; }
-		#过滤局域网设备
-		[ -n "$(cat $clashdir/mac)" ] && {
-			MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac)
-			[ "$macfilter_type" = "黑名单" ] && {
-				nft add rule ip6 shellclashv6 prerouting ether saddr {${MAC}} return 
-			} || {
-				nft add rule ip6 shellclashv6 prerouting ether saddr != {${MAC}} return
-			}
-		}
-		nft add rule ip6 shellclashv6 prerouting udp dport 53 redirect to ${dns_port}
-		nft add rule ip6 shellclashv6 prerouting tcp dport 53 redirect to ${dns_port}
-		nft add rule ip6 shellclashv6 prerouting ip6 daddr {${RESERVED_IP6}} return
-		[ -n "$PORTS" ] && nft add rule ip6 shellclashv6 prerouting tcp dport != {${PORTS}} return
-		nft add rule ip6 shellclashv6 prerouting meta l4proto tcp redirect to ${redir_port}
-	}
-	#代理本机
+	#代理本机(仅TCP)
 	[ "$local_proxy" = "已开启" ] && [ "$local_type" = "nftables增强模式" ] && {
 		#dns
-		nft add chain shellclash dns_out { type nat hook output priority -100 \; }
-		nft add rule shellclash dns_out meta skgid 7890 return && {
-			nft add rule shellclash dns_out udp dport 53 redirect to ${dns_port}
-		}
+		nft add chain inet shellclash dns_out { type nat hook output priority -100 \; }
+		nft add rule inet shellclash dns_out meta skgid 7890 return && \
+		nft add rule inet shellclash dns_out udp dport 53 redirect to ${dns_port}
 		#output
-		nft add chain shellclash output { type nat hook output priority -100 \; }
-		nft add rule shellclash output meta skgid 7890 return && {
-			[ -n "$PORTS" ] && nft add rule shellclash output tcp dport != {${PORTS}} return
-			nft add rule shellclash output ip daddr {${RESERVED_IP}} return
-			nft add rule shellclash output meta l4proto tcp mark set 1 redirect to ${redir_port}
+		nft add chain inet shellclash output { type nat hook output priority -100 \; }
+		nft add rule inet shellclash output meta skgid 7890 return && {
+			[ -n "$PORTS" ] && nft add rule inet shellclash output tcp dport != {${PORTS}} return
+			nft add rule inet shellclash output ip daddr {${RESERVED_IP}} return
+			nft add rule inet shellclash output meta l4proto tcp mark set 1 redirect to ${redir_port}
 		}
 		#Docker
 		type docker &>/dev/null && {
@@ -734,6 +699,18 @@ start_nft(){
 		}
 	}
 }
+start_nft_dns(){
+	nft add chain inet shellclash dns { type nat hook prerouting priority -100 \; }
+	#过滤局域网设备
+	[ -n "$(cat $clashdir/mac)" ] && {
+		MAC=$(awk '{printf "%s, ",$1}' $clashdir/mac)
+		[ "$macfilter_type" = "黑名单" ] && \
+			nft add rule inet shellclash dns ether saddr {${MAC}} return || \
+			nft add rule inet shellclash dns ether saddr != {${MAC}} return
+	}
+	nft add rule inet shellclash dns udp dport 53 redirect to ${dns_port}
+	nft add rule inet shellclash dns tcp dport 53 redirect to ${dns_port}
+}
 start_wan(){
 	[ "$mix_port" = "7890" -o -z "$authentication" ] && {
 	iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport $mix_port -j ACCEPT
@@ -834,8 +811,8 @@ stop_firewall(){
 	ip route del local 172.16.0.0/12 dev lo table 102 2> /dev/null
 	#重置nftables相关规则
 	type nft >/dev/null 2>&1 && {
-		nft flush table shellclash >/dev/null 2>&1
-		nft delete table shellclash >/dev/null 2>&1
+		nft flush table inet shellclash >/dev/null 2>&1
+		nft delete table inet shellclash >/dev/null 2>&1
 	}
 }
 #面板配置保存相关
@@ -915,12 +892,36 @@ bfstart(){
 	#读取配置文件
 	getconfig
 	[ ! -d $bindir/ui ] && mkdir -p $bindir/ui
-	update_url=https://ghproxy.com/https://raw.githubusercontent.com/juewuy/ShellClash/master
-	#延迟启动
-	[ -n "$start_delay" -a ! -f /tmp/clash_start_time ] && {
-	logger "clash将延迟$start_delay秒启动" 31
-	sleep $start_delay
-	}
+	[ -z "$update_url" ] && update_url=https://fastly.jsdelivr.net/gh/juewuy/ShellClash@master
+	#检查yaml配置文件
+	if [ ! -f $clashdir/config.yaml ];then
+		if [ -n "$Url" -o -n "$Https" ];then
+			logger "未找到配置文件，正在下载！" 33
+			getyaml
+			exit 0
+		else
+			logger "未找到配置文件链接，请先导入配置文件！" 31
+			exit 1
+		fi
+	fi
+	#检测vless/hysteria协议
+	if [ -n "$(cat $clashdir/config.yaml | grep -oE 'type: vless|type: hysteria')" ] && [ "$clashcore" != "clash.meta" ];then
+		echo -----------------------------------------------
+		logger "检测到vless/hysteria协议！将改为使用clash.meta核心启动！" 33
+		rm -rf $bindir/clash
+		clashcore=clash.meta
+		setconfig clashcore clash.meta
+		echo -----------------------------------------------
+	fi
+	#检测是否存在高级版规则
+	if [ "$clashcore" = "clash" -a -n "$(cat $clashdir/config.yaml | grep -E '^script:|proxy-providers|rule-providers|rule-set')" ];then
+		echo -----------------------------------------------
+		logger "检测到高级规则！将改为使用clashpre核心启动！" 33
+		rm -rf $bindir/clash
+		clashcore=clashpre
+		setconfig clashcore clashpre
+		echo -----------------------------------------------
+	fi
 	#检查clash核心
 	if [ ! -f $bindir/clash ];then
 		if [ -f $clashdir/clash ];then
@@ -963,17 +964,6 @@ bfstart(){
 	[ "$?" = 1 ] && restore=true || restore=false
 	#生成pac文件
 	catpac
-	#检查yaml配置文件
-	if [ ! -f $clashdir/config.yaml ];then
-		if [ -n "$Url" -o -n "$Https" ];then
-			logger "未找到配置文件，正在下载！" 33
-			getyaml
-			exit 0
-		else
-			logger "未找到配置文件链接，请先导入配置文件！" 31
-			exit 1
-		fi
-	fi
 	#预下载Geosite数据库
 	if [ "$clashcore" = "clash.meta" ] && [ ! -f $bindir/geosite.dat ] && [ -n "$(cat $clashdir/config.yaml|grep -Ei 'geosite')" ];then
 		if [ -f $clashdir/geosite.dat ];then
@@ -1013,6 +1003,11 @@ afstart(){

 	#读取配置文件
 	getconfig
+	#延迟启动
+	[ -n "$start_delay" -a ! -f /tmp/clash_start_time ] && {
+	logger "clash将延迟$start_delay秒启动" 31
+	sleep $start_delay
+	}
 	$bindir/clash -t -d $bindir >/dev/null
 	if [ "$?" = 0 ];then
 		#设置DNS转发
@@ -1020,7 +1015,7 @@ afstart(){
 			[ "$dns_mod" = "redir_host" ] && [ "$cn_ip_route" = "已开启" ] && cn_ip_route
 			if [ "$dns_no" != "已禁用" ];then
 				if [ "$dns_redir" != "已开启" ];then
-					start_dns_redir
+					[ -n "$(echo $redir_mod|grep Nft)" ] && start_nft_dns || start_ipt_dns
 				else
 					#openwrt使用dnsmasq转发
 					uci del dhcp.@dnsmasq[-1].server >/dev/null 2>&1
@@ -1038,8 +1033,12 @@ afstart(){
 		[ "$redir_mod" = "Tproxy混合" ] && start_dns && start_redir && start_tproxy udp
 		[ "$redir_mod" = "Tun模式" ] && start_dns && start_tun
 		[ "$redir_mod" = "Tproxy模式" ] && start_dns && start_tproxy all
-		[ "$redir_mod" = "Nft基础" ] && start_nft
-		[ "$redir_mod" = "Nft混合" ] && start_nft
+		[ -n "$(echo $redir_mod|grep Nft)" ] && {
+			nft add table inet shellclash 2> /dev/null #初始化nftables
+			nft flush table inet shellclash 2> /dev/null
+			start_dns
+			start_nft
+		}
 		#设置本机代理
 		[ "$local_proxy" = "已开启" ] && [ "$local_type" = "环境变量" ] && $0 set_proxy $mix_port $db_port
 		[ "$local_proxy" = "已开启" ] && [ "$local_type" = "iptables增强模式" ] && start_output